Betr.: Minimum password requirements

• Previous message: Gandalf The White: "Re: Comcast Cable Setup Security Issue"
• Next in thread: Majed Mohammed Ayoub Al-Shodari: "RE: Betr.: Minimum password requirements"
• Maybe reply: Majed Mohammed Ayoub Al-Shodari: "RE: Betr.: Minimum password requirements"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 19 Jul 2004 10:22:01 +0200
To: <security-basics@securityfocus.com>

Hi,

Depending on your company you might not want to delete an account after 44 days (30 + 14). Usually you want to archive account information for various reasons.

But what I really miss is the strength requirements for passwords... Can passwords be blanks? Can they contain the user name or company name? Does the password have to contain non-standard characters? Numbers? Caps?

All these rules won't do you any good if a user has the password ie. flower. It will take most programs to crack passwords only a few minutes to crack 'easy' passwords.

So I would also make a decission about passwords strength.

Met vriendelijke groet,

Philip Wagenaar
Junior Projectleider ICT

AccoN Accountants & Adviseurs
ICT Project Bureau
Postbus 5090
6802 EB Arnhem
The Netherlands

tel. +31 (0)26-3842384
fax. +31 (0)26-3630222
mobile: +31 (0)6-25388935
MSN/E-mail: p.wagenaar@accon.nl
Yahoo: philip_wagenaar
http://www.accon.nl

>>> "Randall M Gunning" <securityfocus@randygunning.com> 15-07-04 17:26 >>>
I am working on implementing some minimum standards for our department. I am
wondering what the list thinks of these standards:

a. Passwords must be changed at least every 90 days.
b. Passwords cannot be changed for at least 14 days.
c. Previous passwords cannot be reused (at least the last 10).
d. User ids and passwords are "owned" by an individual and must not be
shared with others.
e. User accounts that have not been accessed (i.e. logged in to) for 30 days
will be deactivated.
f. Inactive user accounts will be deleted after 14 days.

The numbers I have used are what I used in the corporate world for systems
that had no special security requirements (i.e. they did not have any
confidential data on them). What are other people doing for this type of
standard, if anything? Also, if you had your choice (not subject to a
committee agreeing), what would you choose for these items?

Please let me know if you have any questions.

Thanks,

Randy

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

##################################################################

Dit e-mailbericht is uitsluitend bestemd voor de geadresseerde.
De informatie hierin is vertrouwelijk, zodat het derden niet is
toegestaan om daarvan kennis te nemen of dit te verstrekken aan
andere derden. Indien u dit e-mail bericht ontvangt terwijl het
niet voor u bestemd is, verzoeken wij u contact op te nemen met
de afzender en de informatie te verwijderen van iedere computer.
Bij voorbaat dank.

==================================================================

The information transmitted in this e-mail is intended only for
the person or entity to which it is addressed and contains
confidential information. Any review, retransmission or other
use by persons or entities other than the intended recipient is
prohibited. If you received this in error, please contact the
sender and delete the material from any computer. Thank you.

##################################################################

#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared
by MailMarshal
#####################################################################################

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

• Previous message: Gandalf The White: "Re: Comcast Cable Setup Security Issue"
• Next in thread: Majed Mohammed Ayoub Al-Shodari: "RE: Betr.: Minimum password requirements"
• Maybe reply: Majed Mohammed Ayoub Al-Shodari: "RE: Betr.: Minimum password requirements"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]